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Introduction 


Lack  of  security  and  privacy  are  two  very 
common  problems  facing  those  involved  with 
computers  today.  Many  people  in  the  computer 
business  are  simply  not  aware  of  or  are 
apathetic  to  ADP  (automated  data  processing) 
security  and  privacy  matters. 

Loss  of  security  and  privacy  is.  however,  a 
very  real  threat  in  today's  highly  automated 
world.  Without  strict  security  and  privacy 
regulations,  data  could  be  lost,  stolen,  or 
manipulated.  Since  much  modern  data  are 
beginning  to  be  stored  in  ADP  systems,  misuse, 
mismanagement,  or  just  plain  carelessness  could 
result  in  major  problems  for  a  great  number  of 
people. 

Some  security  can  be  built  into  ADP  hardware 
and  software  during  the  developmental  phase, 
but.  at  the  present  time,  no  system  is 
completely  secure.  It  is  the  responsibility  of 
computer  users/custodians  to  maintain  a  high,.i 
level  of  security  and  privacy  for  all  computer 
files. 
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Because  of  the  obvious  lack  of  awareness 
concerning  security  and  privacy,  the  following 
questions  need  to  be  answered: 

1.  What  do  the  terms  "security"  and 
"privacy"  mean  when  used  in  connection 
with  ADP  hardware  and  software? 

2.  What  happens  when  there  is  a  lack  of 
security?  of  privacy? 

5.  What  are  some  of  the  causes  of  this  lack 
of  security  and  privacy? 

4.  Who  has  the  ultimate  responsibility  for 
maintaining  security  and  determining 
privacy  requirements? 

5.  What  are  some  of  the  possible  solutions 
for  these  problems? 
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Security— What  Is  It? 


According  to  Webster  security  is  a  state  ot 
being  or  reeling  secure:  treedom  from  tear 
anxiety  danger,  doubt,  etc.  It  is  also  a  state*  or 
sense  ot  satetv  or  certainty. 


How  Does  Security  Relate  to  ADP  Systems? 


in  order  to  have  a  sec  cue  ADP  system  only 
those  vvith  a  need-to-knovv  should  have  access 
to  data  security  also  means  that  data  in  ADP 
systems  should  be  correct  and  their  integrity 
intact.  In  other  words  security  reiers  to  the 
piotection  ot  resources  from  damage  and  tin* 
protection  ot  data  against  accidental  or 
intentional  disc  losure  or  unauthorized 
modification  or  destruction 


What  Are  ADP  Systems? 


!  Its  phvsn  al  enure  mment 
_  i’eopie  dealing  with  the  system 
i  communications 
4  Policies  and  nine  entires 
>  Hardware  and 
n.  software 


Why  Is  Security  Such  a  Problem? 


Security  in  ADP  systems  is  becoming  a 
problem  in  direc  t  proponent  to  the  me  rease  m 
the*  number  ot  computer  systems  lies  i  •menu 
available  ( )ne  major  reason  i  omputers  ta<  e 
security  (troblems  is  because  tiiev  are  located  m 
.1  hostile*  environment  such  vuineiatnlity  stems 
trom  the  following  la<  tens 

!  Complexity 
J.  S|ic*c*d  ot  operation 
!  \  ast  am<  Hints  ot  data 
4  Inadequate  audit  trails 
4.  |  elt'e  ommunic  ations 
n  (  omjtlicateci  operating  sy  stems,  and 
1  ac k  ot  understanding  about  security 
aspe't  ts. 


Automated  data  processing  systems  aic* 
primarily  but  not  solely,  computers.  An  ADP 
system  is  essentially  made  up  ot  six  elements: 
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The  security  aspects  of  ADP  systems  tan  be 
defined  as: 

1 .  Large  scale  data  bases  containing  sensitive 
information, 

2.  Remote  access  considerations, 

I  Constant  growth  in  numbers  of  users,  and 

4.  Increase  in  numbers  of  personnel  with 
technical  knowledge  required  to  access 
computer  systems. 

Why  Are  Security  Problems  on  the  Rise? 

In  today's  complex  world  there  is  an 
increased  dependency  upon  computer  systems 
for  critical  and  sensitive  applications. 

Dependency  also  stems  from  a  lack  of  manual 
back  up  systems  and  inadequate  contingency 
planning. 

Although  there  is  an  increased  dependency 
upon  computers,  there  has  h<  en  apathv  or  a 
lack  of  awareness  concerning  security  because 
ot  work  exigencies,  flier.'  is  also  the1  matter  of 
limited  resources  'h.g  require  careful 
c  onsideration  ot  ;•:!■>•  itios 

In  other  words  because  eg  the-  great  demand 
tor  last,  efficient  computer  services,  securitv  has 


not  been  completely  and  competently 
maintained. 

Are  There  Any  Other  Security  Problems? 

In  addition  to  the  vulnerabilities  produced  as 
a  by-product  of  the  computer  industry  growth, 
there  are  certain  very  real  threats  to  security 
including: 

1.  Natural  hazards 

•  Fire, 

•  Flood. 

•  Severe  storm, 

•  Failure  of  electrical  power  (e  g.,  air 
conditioning), 

•  Communications  failure,  and 

•  System  failure. 

2.  Accidental  errors,  omissions,  or  failures 

•  User  errors. 

•  Operator  errors. 

•  Data  preparation  errors, 

•  Application  program  errors, 

•  Output  errors 

•  System  errors. 

•  Communication  errors,  and 

•  Inadvertent  release  of  sensitive 
information. 
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VMn'Ute  ,u  <>l  computer  abuse 
I  raud 

( mbe//len,ent 
I  bet! 

Main,  k hjs  damage 
l  naull-.' um‘  i'i  tac  ilitu*> 
Sabi  >tage 
Ispmnage  am! 
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What  Can  Be  Done  About  Such  Threats? 


It  w i >ul(l  In'  ciittK ult  it  not  impossible.  U> 
prevent  natural  hazards.  However,  auudent.il 

errors  omissions  or  failures,  and  deliberate 
i  omiuiter  abuses  are  problems  that  ran  be  kept 
to  a  minimum  with  proper  maintenance  and 
su'verllam  e  Although  security  should  be  built 
mto  a  system  no  system  van  be  reallv  secure 
unless  the  user  makes  it  sec  lire  lo  put  this 
another  wav  no  matter  how  many  security 
gadgets  are  toed  a  sev  ure  sy  stem  is  no  better 
than  the  person  using  it  Set  urrty  must  be  a 
personal  nutter  vsith  t ‘y cry  vomputer  operator 
and  user  m  order  |o  h.ne  a  sigmtii  ant  impac  t 


Who  Is  Actually  Responsible  for  Security? 


It  is  the  responsibility  of  the  system  designers 
and  manufac  hirers  to  build  security  into  an  ADI’ 
system.  Usc’rs  have  the  responsibility  to  maintain 
a  careful  y\atch  on  their  security  prac  tices. 
Management  is  also  responsible  since  they 
should  set  up  security  requirements  and 
regulations  for  their  employees,  In  addition,  the 
condors  and  users  should  evork  together  to 
determine  w  ho  is  responsible  for  w  hat 
computer  security  function. 

It  should  he  kept  in  mind,  though,  that  when 
a  security  system  is  being  set  up,  requirements 
and  regulations  should  be  easily  understood  and 
workable*  Too  much  restric  tion  and  too  much 
icgulation  are  as  bad  as  too  little  of  either  one. 
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What  Roles  Do  Management  and  Users 
Play  in  Security  Problems? 


In  most  cases,  management  plays  a  key  role 
in  the  problems  associated  with  security.  In 
general,  most  managers  are  mission-oriented. 
They  are  more  concerned  with  the  ultimate 
product  than  with  the  production  process. 
Management  has  recently  become  more  aware 
of  the  critical  problems  associated  with 
computer  security  and  they  are  taking  strong 
measures  to  resolve  those  problems. 

Individual  users  also  have  problems  with 
security.  There  seems  to  be  a  lack  of  concern 
with  regard  to  system  security.  The  user  has  a 
tendency  to  view  a  computer  as  |ust  another 
inanimate  object,  and  yet,  this  inanimate  object 
still  presents  a  challenge  to  him.  In  most  cases, 
a  user  will  not  consider  computer  abuse  (on  a 
small  scale)  a  crime.  Computer  system  users  can 
also  be  lax  about  reporting  known  security 
violations  because  they  don't  realize  that  it  can 
jeopardize  their  own  security. 


There  is  also  another  problem  regarding  user 
security.  Many  computer  users  feel  that  the 
classification  of  data  is  the  responsibility  of 
those  involved  with  computer  operation  rather 
than  that  of  computer  users.  In  fact, 
r  lassification  rests  in  the  hands  of  subject  matter 
specialists,  not  computer  operations  people. 

Today  s  computer  world  is  marked  by  rapid 
growth  and  extension  of  applications,  continued 
growth  in  the  numbers  of  systems  (especially 
mini-  and  micro-computers),  and  large  increases 
in  the  numbers  of  people  involved  in  data 
processing.  In  such  an  environment. 
management  s  lack  of  involvement  and  users' 
apathy  serve  only  to  compound  the  ADP 
security  problem. 
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Privacy— What  Is  It? 

Webster  delines  privacy  as  the  quality  or 
condition  ot  being  private  withdrawal  from 
public  view  nr  company;  seclusion:  secrets.  It 
i  .tit  also  be  ones  private  nr  personal  affairs. 

How  Does  Privacy  Relate  to  ADP 
Systems? 

!  irsl  dI  a’!  one  must  realize  the  amount  of 
sensitive  personal  data  that  is  stored  in  today  s 
■  o; r'pnters  A  pe’si.io,  entile  bisters  is  recorded 
'uhirlaip  financial  data.  medical  rei  orris.  military 
■lies  and  so  *or'f h  An  Al  )l’  svsteni  Ins  umos  a 
store)', oiise  >•  .aluable  hut  ir,  mans  rases,  very 
ornate  int  I'mation.  i'rivac  •.  th‘‘ii  reters  to  the 
nghts  oi  :ii. !■. 'duals  and  organizations  to 
determine  for  themselves  when  how  and  to 
what  evtrht  intorrnation  about  them  is  to  he 
transmitted  to  others  Privacy  is  an  issue  that 
gc  ms  tar  be\i  mil  n  imputer  i  enters  and  >  an  he 
'bought  ol  as  a  pertple  pmhlem  since  people 
m  il  mar  limes,  alter  t  it 


Who  Could  Gain  from  Use  of  Personal 
Data? 


A  person  who  g, lined  at  cess  to  data  tiles 
without  a  needto-know  could  cause  mam 
problems,  not  only  tor  the  private  oti/en  but  N 
others  as  well.  He  or  she  tould.  tor  example 

1  Manipulate  data 

J.  Modify  talsitv  data 

I.  At  quire  proprietary  information  and 
programs 

4.  Alter  stored  programs 

s.  Change  master  tiles. 

n.  At  r  ess  passwords  algorithms  oi 

Deny  authorized  artess. 

In  other  wolds  someone  tould  deliberately 
abuse  computer  tiles  to  alteil  many  aspects  ot 
person  s  lilt*  stir  It  as  his  t  redit  rating, 
employment  rerortls  even  his  community 
standing. 


Has  Anything  Been  Done  to  Prevent  Such 
Acts? 


Congress  passed  the  'Privacy  Act  of  1074" 
which  sets  up  certain  guidelines  regarding 
privacy  and  data  stored  in  computers  and 
manual  files.  In  essence.  Congress  recognized 
that  a  person  does  have  a  right  to  privacy, 
including  privacy  with  regard  to  personal  files. 
However,  there  are  instances  when  such  files 
would  he  made  available  to  authorized  persons 
upon  request. 

What  Are  the  Custodian's  Responsibilities 
Concerning  Privacy? 

The  custodian  has  a  responsibility  to 
determine  information  necessary  when  a 
request  has  been  received  for  file  information 
The-  accuracy  standards  should  also  be 
determined,  along  with  identification  of 
protection  requirements,  and  the  establishment 
ot  the  sensitivity  ol  requested  information. 


The  custodian  should  also  determine  how  the 
use  of  the  information  requested  could 
adversely  affect  the  particular  individual 
involved.  He  can  do  this  by  considering  the 
following  criteria: 

1.  What  is  adverse? 

2.  What  data  are  vital? 

T  What  should  be  done  if  vital  information 
is  in  error? 

4.  What  should  be  done  if  vital  information 
is  disputed? 

v.  What  should  bo  done1  if  vital  information 
is  missing? 

b.  How  much  impact  will  an  error  correction 
have  on  a  system? 

A  determination  should  also  be  made  as  to 
the  '  need-to-know . 


Summary  of  ADP  Security/Privacy 
Problems 


What  Can  Be  Done? 


? 
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The  typical  problem  areas  with  regard  to 
computer  security  are  as  follows: 

I  Insufficient  emphasis  on  computer 
security  (i.e..  inadequate  security 
planning  c  ontingency  planning), 

2.  tack  of  vulnerability  threat. risk 
assessment, 

f.  lack  ot  management  involvement  in 
<  omputer  sec  urity  issues,  and 
-f.  Lack  of  protection  against  natural 
disasters. 

Computer  privuc  y  problems  include. 

1  Manipulation  of  data  (modification  or 
falsification). 

2.  Acquisition  of  proprietary  information 
without  a  '  need-to-knovv. "  and 
T.  Unauthorized  acquisition  of 
passwords  algorithms. 


Security  and  privacy  are  two  very  important 
facets  that  a  society,  which  is  fast  becoming 
automated,  has  to  take  into  ac  count  Although 
many  things  c  ontribute  to  a  lack  or  loss  of 
security  and  privacy,  the  main  ingredients  in 
any  security  or  privacy  problem  are  the  people 
involved  with  the  systems.  lo  most  people, 
security  and  "privacy"  are  nebulous  terms,  and 
rather  than  learn  all  the  rules  and  regulations 
concerning  them,  they  choose  to  he  apathetic  . 
In  order  for  society  to  have  an  effective  and 
efficient  computerized  network,  not  only  the 
systems  themselves,  but  also  all  of  the  people 
involved  with  them,  must  be  geared"  toward 
maintaining  security  and  privacy  Security-  and 
privacy  measures  cannot  be  looked  upon  as 
unimportant  or  not  pertinent,  but  must  become 
an  integral  part  of  the  computer  environment. 


tins  booklet  was  prepared  hy  the  Computer  St  tent  es 
Department  to  promote  awareness  of  computer 
securitv  and  pm  at  v  problems. 
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Iitton.  Graphics  Branch,  tor  conceiving  and  preparing 
the  artwork:  to  Ms.  P.  A  Ellis.  Teihmcal  Writing 
Brant  h.  tor  coordinating  and  writing  the  booklet:  and 
to  sir.  I.  t.  Seville,  ]r. ,  Programming  and  Computer 
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Questions  and  comments  concerning  the  contents  ot 
this  booklet  should  be  directed  to  Mr.  J.  R.  Babiec 
(Code'  44  i). 
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